Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Why do you think changing the implementation to the server side will comply with the letter of the law? Or perhaps I should ask which law.

GDPR doesn't differentiate between the client side or server side, you're simply not allowed to keep information on users unless they've consented to for it to be kept or it is required for a legitimate functionality to which they have consented.



So I am not allowed to keep server logs without consent?


If you're processing server logs for marketing purposes, then no, you need consent to do that.

You also should be trying to scrub IP adresses from those logs as that counts as PII.


>You also should be trying to scrub IP adresses from those logs as that counts as PII.

That counts as personal data.

The GDPR doesn't care about "PII", as that is a US legal term and not something defined or references in EU law.


Fair point.


That depends entirely on the nature of the information that is contained in your server logs.


And the purposes for which those logs are being used.


The "cookie law" that created the cookie banner mess predates GDPR by some years.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: